diff --git a/README.md b/README.md index 7d09b4a..ff3c172 100644 --- a/README.md +++ b/README.md @@ -25,5 +25,5 @@ In order to display the proper syntax highlighting on Gitea, you should use the --- > [unitoo.it](https://www.unitoo.it)  ·  -> Fediverse [admin@social.unitoo.it](https://social.unitoo.it/admin)  ·  +> Mastodon [@unitoo](https://mastodon.uno/@unitoo)  ·  > GitHub [@UnitooTeam](https://github.com/UnitooTeam) diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml deleted file mode 100644 index b27d58d..0000000 --- a/cloud-init/swarm-manager.yml +++ /dev/null @@ -1,65 +0,0 @@ -#cloud-config - -ssh_genkeytypes: [ecdsa, ed25519] - -# upgrade system -package_update: true -package_upgrade: true - -# various dependencies -packages: - - ca-certificates - - curl - - gnupg - - lsb-release - -write_files: - - path: /etc/iptables/rules.v4 - permissions: 0644 - owner: root:root - content: | - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - -A INPUT -i lo -j ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -m conntrack --ctstate INVALID -j DROP - -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -o lo -j ACCEPT - -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable - COMMIT - - path: /etc/iptables/rules.v6 - permissions: 0644 - owner: root:root - content: | - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - -A INPUT -i tun0 -j ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -m conntrack --ctstate INVALID -j DROP - -A OUTPUT -o tun0 -j ACCEPT - -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable - COMMIT - -runcmd: - - [mkdir, -p, /usr/local/apt-keys] - - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] - - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' - - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" - - [apt-get, update] - - [apt-get, install, -y, yggdrasil] - - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] - - [systemctl, enable, --now, yggdrasil] - - - [mkdir, -p, /etc/apt/keyrings] - - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" - - 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null' - - [chmod, a+r, /etc/apt/keyrings/docker.gpg] - - [apt-get, update] - - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin' diff --git a/ipfs/etc/nginx/sites-available/ipfs-gateway.conf b/ipfs/etc/nginx/sites-available/ipfs-gateway.conf deleted file mode 100644 index 97687da..0000000 --- a/ipfs/etc/nginx/sites-available/ipfs-gateway.conf +++ /dev/null @@ -1,131 +0,0 @@ -upstream gateway { - server 127.0.0.1:8081; -} - -server { - server_name ipfs.unitoo.it ipns.unitoo.it; # managed by Certbot - listen 443 default_server ssl; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; - add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; - - proxy_pass_header Server; - proxy_read_timeout 1800s; - - error_page 403 /403.html; - - location /403.html { - root /var/www/html; - allow all; - } - - location /403.png { - root /var/www/html; - allow all; - } - - location /400.html { - root /var/www/html; - allow all; - } - - location /ipns { - proxy_pass http://gateway; - proxy_set_header Host unitoo.it; - proxy_cache_bypass $http_upgrade; - - proxy_intercept_errors on; - - allow all; - - error_page 400 /400.html; - } - - location /ipfs { - proxy_pass http://gateway; - proxy_set_header Host unitoo.it; - proxy_cache_bypass $http_upgrade; - - proxy_intercept_errors on; - - allow all; - - error_page 400 /400.html; - } - - location / { - proxy_pass http://localhost:5001; - proxy_set_header Host $host; - proxy_cache_bypass $http_upgrade; - deny all; # <- Deny other traffic - } - - ssl_certificate /etc/letsencrypt/live/ipfs.unitoo.it/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/ipfs.unitoo.it/privkey.pem; # managed by Certbot - - include snippets/denylist.conf; -} - -server { - server_name *.ipfs.unitoo.it *.ipns.unitoo.it; - listen 443 ssl; - - proxy_read_timeout 1800s; - - error_page 403 /403.html; - - location /403.html { - root /var/www/html; - allow all; - } - - location /403.png { - root /var/www/html; - allow all; - } - - location /400.html { - root /var/www/html; - allow all; - } - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; - add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; - - include snippets/denylist.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Ipfs-Gateway-Prefix ""; - proxy_pass http://gateway; - } -} - -server { - server_name ipfs.unitoo.it ipns.unitoo.it; - listen 80; - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always; - add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always; - - proxy_pass_header Server; - proxy_read_timeout 1800s; - - include snippets/denylist.conf; - - location ~ "^/(ipfs|ipns|api)(/|$)" { - proxy_set_header Host unitoo.it; - proxy_set_header X-Ipfs-Gateway-Prefix ""; - proxy_pass http://gateway; - } - - return 404; -} diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service deleted file mode 100644 index e256157..0000000 --- a/ipfs/lib/systemd/system/ipfs.service +++ /dev/null @@ -1,57 +0,0 @@ -[Unit] -Description=IPFS Daemon -Documentation=https://docs.ipfs.io/ -After=network.target - -[Service] -# hardening -ReadWritePaths=/home/ipfs /mnt/ipfs -NoNewPrivileges=true -ProtectSystem=strict -ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -PrivateDevices=true -DevicePolicy=closed -ProtectControlGroups=true -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -ProtectHostname=true -PrivateTmp=true -ProtectClock=true -LockPersonality=true -RestrictNamespaces=true -RestrictRealtime=true -MemoryDenyWriteExecute=true -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged -#ProtectHome=true -RemoveIPC=true -RestrictSUIDSGID=true -CapabilityBoundingSet=CAP_NET_BIND_SERVICE - -LimitNOFILE=8192 -#LimitNice=10 -MemoryAccounting=true -#MemoryHigh=768M -#MemoryMax=1024M -MemorySwapMax=0 -CPUAccounting=true -CPUQuota=40% -TimeoutStartSec=infinity - -Type=notify -Environment="IPFS_PATH=/mnt/ipfs" -Environment=IPFS_LOGGING="error" -Environment=IPFS_FD_MAX=8192 -ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate -User=ipfs -Group=ipfs -StateDirectory=ipfs -Restart=always -RestartSec=60 -KillMode=process -KillSignal=SIGINT - -[Install] -WantedBy=multi-user.target diff --git a/iptables/iptables-http-full-f2b.fw b/iptables/iptables-http-full-f2b.fw index 377d871..45db85a 100644 --- a/iptables/iptables-http-full-f2b.fw +++ b/iptables/iptables-http-full-f2b.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -i lo -j ACCEPT diff --git a/iptables/iptables-http-full.fw b/iptables/iptables-http-full.fw index b1a0ad2..6b2a30b 100644 --- a/iptables/iptables-http-full.fw +++ b/iptables/iptables-http-full.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP diff --git a/iptables/iptables-ssh-only.fw b/iptables/iptables-ssh-only.fw index a0ae6e0..42ec8dc 100644 --- a/iptables/iptables-ssh-only.fw +++ b/iptables/iptables-ssh-only.fw @@ -1,7 +1,7 @@ *filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:INPUT DROP [4414218:211789180] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [17973:1146056] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP diff --git a/matrix/database_vacuum_instructions.md b/matrix/database_vacuum_instructions.md deleted file mode 100644 index 26fc683..0000000 --- a/matrix/database_vacuum_instructions.md +++ /dev/null @@ -1,5 +0,0 @@ -1. Activate `synapse-admin` following instructions provided by playbook -2. Use `synapse-admin` to clean rooms or what you don't need -3. Stop `synapse` -3. Run `REINDEX (VERBOSE) DATABASE dbnamehere;` from your db client -4. Run `VACUUM FULL VERBOSE;` from your db client diff --git a/nextcloud/var/www/html/nextcloud/config/config.s3.php b/nextcloud/var/www/html/nextcloud/config/config.s3.php index 369b99d..0790fd8 100644 --- a/nextcloud/var/www/html/nextcloud/config/config.s3.php +++ b/nextcloud/var/www/html/nextcloud/config/config.s3.php @@ -9,7 +9,7 @@ $CONFIG = array ( ), 'datadirectory' => '/var/www/html/nextcloud/data', 'dbtype' => 'mysql', - 'version' => '23.0.3.2', + 'version' => '21.0.3.1', 'overwrite.cli.url' => 'http://your_domain/', 'htaccess.RewriteBase' => '/', 'dbname' => 'nextcloud', @@ -61,23 +61,4 @@ $CONFIG = array ( 'mail_smtppassword' => '', 'maintenance' => false, 'default_phone_region' => 'IT', - 'enable_previews' => true, - 'preview_max_x' => 4096, - 'preview_max_y' => 4096, - 'preview_max_memory' => 768, - 'preview_max_filesize_image' => 50, - 'enabledPreviewProviders' => [ - 'OC\Preview\PNG', - 'OC\Preview\JPEG', - 'OC\Preview\GIF', - 'OC\Preview\HEIC', - 'OC\Preview\BMP', - 'OC\Preview\XBitmap', - 'OC\Preview\MP3', - 'OC\Preview\TXT', - 'OC\Preview\MarkDown', - 'OC\Preview\OpenDocument', - 'OC\Preview\Krita', - 'OC\Preview\PDF', - ], ); diff --git a/wireguard/client/etc/wireguard/wg0.conf b/wireguard/client/etc/wireguard/wg0.conf deleted file mode 100644 index cc746fe..0000000 --- a/wireguard/client/etc/wireguard/wg0.conf +++ /dev/null @@ -1,13 +0,0 @@ -[Interface] -Address= -PrivateKey = `wg genkey` -ListenPort = - -[Peer] -PublicKey = -Endpoint = : -AllowedIPs = /24 - -# This is for if you're behind a NAT and -# want the connection to be kept alive. -PersistentKeepalive = 25